Solved

Active Directory Lightweight Directory Services (AD-LDS) - What are you using it for, and how?

Posted on 2015-02-24
5
248 Views
Last Modified: 2015-02-26
Hello,

I am working with AD-LDS and am trying to create a single sign-on solution that can be used for web servers / applications / etc....can anyone describe what they are using AD-LDS for and how they're syncing from Active Directory?
0
Comment
Question by:jkeegan123
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40629445
AD-LDS is not the right tool for that job. If you are looking for single sign-on, you want ADFS.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40629679
Perhaps I was not being clear, I thought that AD-LDS was the right tool here.  What i want to do is combine multiple directories using AD-LDS so that (5) or so Windows domains in different sites that are connected via VPN without trusts can make use of the Single AD-LDS directory that we pull / sync accounts to from each of the 5 domains.  

Am I getting warmer?  :)
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40629716
*IF* you want single sign-on, no. Windows specifically hardens credential storage on DCs so there is no legitimate way to sync credentials to AD-LDS. Also AD-LDS doesn't have Kerberos support built in like AD-DS. You could create a custom property in AD-LDS (after all, that's why it is there) to store passwords (hashed or otherwise) but you'd be writing your own authentication mechanism to write that property and it would *not* be an SSO experience at all. Because it'd be a custom property and a custom authentication method, there is no way to even enforce that the passwords are the same.

AD-LDS *does* support proxying authentication back into AD-DS but it only does so if AD-LDS is a member server and it only does so to a domain controller on the domain in which the AD-LDS server is a member of. Which would not work with your 5-domain scenario with no trusts, as it would not be able to proxy requests to four of the domains and the DC's not having trusts, would not be able to handle the proxied request.

In short, if you have permissions to sync AD objects, I'm not sure why you wouldn't implement trusts. That'd be a far more efficient process. And for most SSO web scenarios, you'll need ADFS any which way. So I still don't see AD-LDS being the right tool here.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 40634107
Thank you, that was a very succinct explanation for why this will not work.

I REALLY think that the tech community at large SEVERELY misunderstands what AD-LDS can and cannot do...What I learned through this long journey is:  

- Exactly how to work and setup AD-LDS --> It's very useful and cool
- Exactly the nuances to setup Schema differences between domains / partitions.  This was useful in and of itself.
- The tech community enjoys very much posting 75% of their experience and missing the last 25%.  This is probably because most people have no idea exactly what this is capable of.

Thank you VERY much for your help.

I still need to sync passwords between domains, this is more of a service-provider relationship than a true multi-domain scenario where domains can be trusted...do you have any tips on using another tool to do this, perhaps Forefront Identity Management (FIM)?  I see that RACKSPACE, Intermedia, etc...do similar syncs that I'm talking about, where we have to target a specific OU for source accounts (can't take the entire directory, bad idea...) and PCNS (Password Change Notification Service) runs on every DC to notify the provider of the password change.

Do you know of any way to implement something like this?  I'm willing to go down the FIM road, but I need to know if this is the right tool before going on this journey.

Thanks!
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40634128
FIM can do this and is actually what Microsoft's own implementation of dirsync was built on.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In order to have all security and back ups taken care of, WordPress users can sign up for services with WP Engine.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question